How to do malware scan in a server through Clamscan ?

————————————————————————————————————–

Login to the server via SSH

Run the following commands in ” screen ” . ( Keep Your Processes Running Despite A Dropped Connection )

# clamnscan  -i  -r  –log=/var/log/clamscanlog /*   –> It will help you to do an entire system scanning

For custom directories scanning ,

# clamscan -i -r  –log=/var/log/clamscanlog2  ” directory to scan” 

Example: #  clamscan -i -r –log=/var/log/clamscanlog3  /home/*

Options used in the above commands with its description :

-i  (–infected )        >>    Only print infected files

-r  (–recursive[=yes/no(*)])    >>     Scan subdirectories recursively

–log  (-l FILE )          >>         Save scan report to FILE

—————————————————————————————————————

A directory called “virtfs” inside /home/ contain a copy from accounts on /home/ . What this mean?

———————————————————————————————————————————————-

VirtFS provides a jailed shell environment for a user connected to a server via SSH. Unlike a normal shell environment, a jailed shell environment prevents access to data outside of the user’s home directory. A jailed shell helps increase security for a system administrator’s other users.

How to remove VirtFS

In 11.38, updates to the jailed shell system were created to improve security. As a result, it is not possible to completely remove VirtFS.

ALERT! Warning: The directions below do not necessarily remove a jailed shell.

Before you can safely remove the jailed shell environment, you must unmount all bind mounts under /home/virtfs/$user/.

To unmount a bind-mounted directory, use the umount command.

For example, to unmount /home/virtfs/username/usr/bin (replace username with the cPanel user’s name), run the following command:

# umount /home/virtfs/username/usr/bin

Once you have unmounted the bind mounts, you can remove the user’s directory under /home/virtfs. To see whether a directory is still bind-mounted, search for the appropriate username in /proc/mounts. You can do this with the following command (replace username with the cPanel user’s name):

# grep -i ‘username’ /proc/mounts

How to disable VirtFS

To disable VirtFS, you can disable jailed shell access via both the Tweak Settings and Manage Shell Access interfaces in WHM.

Note: If a system administrator disables jailed shell access for a user, the user’s shell will be set to /usr/local/cpanel/bin/noshell. The user will still have access to SFTP in a non-jailed environment.

Exim in a jailed shell or disabled shell

When a user’s shell is configured to jailshell or noshell, Exim runs any process created from alias or filter files inside of VirtFS. This action provides extra security because Exim commands will run in a jailed shell and not affect other users. Before 11.38, Exim did not run in a jailed shell. As a result, there was a higher probability that filters and pipes in a jailed shell or disabled shell would act the same.

! You can remove all bind mounts for a particular user with the following command (replace username with the cPanel user’s name):

# /usr/local/cpanel/3rdparty/bin/perl -MCpanel::Filesys::Virtfs -e ‘Cpanel::Filesys::Virtfs::clean_user_virtfs(“username”);’

With your bless…

With your blessing’s ……!!!! Let’s start our journey ..!!!!